SNAT problem in Firmware 9.707.

Hi,

Someone have problems with SNAT? SNAT ( Hide NAT ) from LAN to Internet.

After PPP interface is reconnected and received new / different IPv4 address, the UTMv9 is still using the old IPv4 address for old sessions ( verification using tcpdump ).

Sometimes it resolves by it self ... and sometimes after restart ...

It's sporadic and I was unable to understand why it's happening.

When there is a problem, new sessions are working and SNAT is using new IPv4.

In version 9.705-3 and before worked flawlessly with the same configuration.

Is there a way to clear NAT cache?

* Unable to open a case. I'm using free UTMv9 for personal testing purposes as VM ( although license specifies that I should be able to open a case ... but it seems that this option lost in Sophos on the way ... ).  

Thank You.



Adding explanation.
[edited by: Alexey Haritonov at 2:09 PM (GMT -7) on 23 Oct 2021]
Parents
  • Shalom Alexey and welcome to the UTM Community!

    Please insert a picture of the Edit of your SNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Shalom Alexey and welcome to the UTM Community!

    Please insert a picture of the Edit of your SNAT.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi,

    Thank You for the reply.

    My SNAT conf:

  • Wouldn't your Internet IPv4 instead be using the External (WAN) (Address) interface?

    UTM - 9.707 | Intel i3-4150 4th Gen Processor
    16GB Memory | 500GB SATA HDD | GB Ethernet x5

  • Assuming that "ISP Partner Fiber" is your external interface connected to your ISP, that should work.  UTM "culture" is to also select 'Automatic Firewall rule'.

    Instead of using an SNAT, the "standard" way to do this in UTM is with a Masquerading rule:

         

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yep ... ppp0 interface should use new ISP IPv4 ... but it using old IPv4 ... or ... in rear occasions doesn't use SNAT and traffic goes out with private IP address.

    See tcpdump:

    ICMP to 8.8.8.8 is using "old" IPv4 83.130.88.100 ... obviously has no ICMP Replies.

    Using new IPv4 83.130.91.88, is working and there are ICMP replies ( UTM changed it by itself ... no intervention from my part ).

    At the same time ppp0 interface and object "ISP Partner Fiber (Address) display correct IPv4 address: 83.130.91.88.

    So ... it's definitely a BUG.

  • hi, thank You for the feedback.

    I will try to change to Masquerading rule, instead of SNAT ... as I don't care if it's a BUG and Sophos doesn't want to fix it ... I just need that my environment will function.

  • Hi, the same thing with Masquerading rule ... already reverted to 9.705-3 ... going to try even lower firmware version ...

  • Good luck with that.  This sounds more like a broken config - it's rare, but that can happen when applying an Up2Date.  Try restoring a backup made before you applied the last Up2Dates.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA